Friday, 2016-10-14

« Thursday, 2016-10-13 Index Saturday, 2016-10-15 »
*** guoshan has joined #openstack-keystone00:01
*** guoshan has quit IRC00:06
*** harlowja has joined #openstack-keystone00:06
*** haplo37_ has quit IRC00:25
*** haplo37_ has joined #openstack-keystone00:27
ayoungstevemar, morgan kindof embarrasing when Keystone can't do Policy correctly.  CAn we bump this one on https://review.openstack.org/#/c/371856/00:29
*** browne has quit IRC00:30
ayoungrderose, you can do that too.  i'm here to answer questions, but jamielennox has made Sisyphus  look like a shirker here.00:30
jamielennox:)00:31
jamielennoxdid the nova policy patch merge?00:31
ayoungjamielennox, no, still arguing that one00:32
ayoungbut it will00:32
ayoungfunctional tests are also fussy there00:33
r1chardj0n3shuh, I've been banging my head on keystone's v3 sample policy file, trying to figure out where some of the values come from, and then I see that patch "Fixing keystone's policy dict is going to be a big effort" :-D00:34
jamielennoxhttps://review.openstack.org/#/c/295371/ and https://review.openstack.org/#/c/370499/ are the next ones to look at00:34
david-lyler1chardj0n3s: what values?00:34
david-lyleone you have to set00:35
*** xek_ has quit IRC00:35
*** robcresswell has quit IRC00:35
jamielennoxkeystone flattens the entire user token data and drops it into policy00:35
r1chardj0n3sthere's these two lines, for example:00:35
r1chardj0n3s    "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s",00:35
r1chardj0n3s    "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s",00:35
*** xek_ has joined #openstack-keystone00:35
jamielennoxthis is a PITA for a number of reasons like the data format is very different between v2 and v3 tokens00:35
r1chardj0n3sI understand that the first one comes from target, that's easy, it's the flattened dict, but I don't know what the second "project.domain_id" is00:36
r1chardj0n3sI've been working thru the keystone source, but can't see how that makes it into the policy dict00:36
*** robcresswell has joined #openstack-keystone00:37
*** jlk has quit IRC00:37
ayoungr1chardj0n3s, i kinda want to kill that sample policy file00:38
*** jlk has joined #openstack-keystone00:38
*** jlk has quit IRC00:38
*** jlk has joined #openstack-keystone00:38
r1chardj0n3sayoung: lol, but it's all we've got! :-)00:38
ayoungr1chardj0n3s, let me fix the standard policy first....00:39
r1chardj0n3sfor some background, I'm coming from the perspective of a Horizon dev who's been told "Horizon is buggy because SSO federated domain admins can't admin projects in their domain..". and I'm having to learn what pretty much every word in that problem statement means (well, except the "Horizon is buggy" bit ;-)00:40
r1chardj0n3sso far I think I've determined that I'm pretty sure SSO federated logins *can't* have additional domains associated with their login...00:41
r1chardj0n3sbut I was also looking into whether Horizon was mis-applying policies, but I couldn't figure out what the policy was actually saying ;-)00:42
*** david-lyle_ has joined #openstack-keystone00:42
*** gagehugo has quit IRC00:42
r1chardj0n3s(that's federated logins can't have domains other than the ephemeral "Federated" domain associated with them)00:42
ayoungr1chardj0n3s, I'll help you on that00:42
r1chardj0n3s\o/00:42
*** david-lyle has quit IRC00:45
*** gyee has quit IRC00:46
ayoungr1chardj0n3s, let me get policy straight for the default cases first.  We're close...00:47
r1chardj0n3sayoung: yup00:47
r1chardj0n3sayoung: if there's anything I can do in the interim, pls lemme know00:49
*** spzala has quit IRC00:50
*** tqtran has quit IRC00:51
*** mnaser has quit IRC00:51
*** afazekas_ has quit IRC00:51
*** hoangcx has joined #openstack-keystone00:53
*** browne has joined #openstack-keystone00:59
jamielennoxksa release?01:07
jamielennoxexcellent, solves those patches we missed last time01:08
*** dflorea has quit IRC01:11
*** guoshan has joined #openstack-keystone01:14
*** zhugaoxiao has joined #openstack-keystone01:16
stevemardolphm or morgan: can you look https://review.openstack.org/#/c/386236/ its for stable/mitaka01:24
*** davechen has joined #openstack-keystone01:28
*** browne has quit IRC01:29
*** spzala has joined #openstack-keystone01:30
*** jamielennox is now known as jamielennox|away01:30
rderoseayoung: around?01:30
*** afazekas has joined #openstack-keystone01:31
openstackgerritGeorge Tian proposed openstack/keystone: Code cleanup  https://review.openstack.org/38479801:33
ayoungrderose, siepmre01:33
*** mnaser has joined #openstack-keystone01:33
*** mnaser has quit IRC01:35
*** mnaser has joined #openstack-keystone01:35
rderoseayoung: were you referring to https://review.openstack.org/#/c/371856/?01:35
ayoungrderose, yep01:36
ayoungrderose, here's the summary01:36
ayoungeverything is broken now01:36
rderoseayoung: okay, looking at it now01:36
rderoseeverything?01:36
rderose:)01:36
ayoungwe honor that brokeness, but provide a way to fix it01:36
ayoungrderose, adminess is broken01:36
ayoungbut we can't break everyone's tests to fix it01:36
ayoungso we fix by inches01:37
ayoungin this case, we provide a truely 'orrible 'ack01:37
*** spzala has quit IRC01:37
*** jamielennox|away is now known as jamielennox01:37
*** spzala has joined #openstack-keystone01:37
ayoungnamely, if the keystone server does not provide a field is_admin_project, the context defaults it to true01:37
ayoungso everything that was checking for admin in the past is still admin01:38
ayoungthis workas everywhere but keystione, becuase keystone never actually passes the value from context to the policy engine during the check01:38
*** wangqun has joined #openstack-keystone01:38
ayoungthis change only passes the value in...its a short term fix but essential01:38
*** jaosorior has quit IRC01:40
*** jaosorior has joined #openstack-keystone01:40
rderoseayoung: I see01:40
*** spzala has quit IRC01:42
rderoseayoung: needs a rebase01:42
rderosetoken model no longer checks for v3: if self.version is V3:01:42
rderosehttps://review.openstack.org/#/c/371856/3/keystone/models/token_model.py01:42
rderosehttps://github.com/openstack/keystone/blob/master/keystone/models/token_model.py01:43
openstackgerritayoung proposed openstack/keystone: Add is_admin_project to policy dict  https://review.openstack.org/37185601:53
ayoungjamielennox, can you cover those changes, so I can still approve?01:55
ayoungI did the auto rebase, but not the code01:55
*** sdake_ is now known as sdake02:01
r1chardj0n3somg ayoung that patch points to the bit I was missing re policy vars, nice timing :-)02:01
*** adrian_otto has joined #openstack-keystone02:16
openstackgerritmelissaml proposed openstack/oslo.policy: Change assertTrue(isinstance()) by optimal assert  https://review.openstack.org/38630902:18
*** ayoung_ has joined #openstack-keystone02:21
*** ayoung has quit IRC02:21
jamielennoxayoung_: sorry what?02:23
ayoung_jamielennox, I think rderose had legit comments on https://review.openstack.org/#/c/371856/02:24
openstackgerritmelissaml proposed openstack/keystone: Fix a typo in token_formatters.py  https://review.openstack.org/38631002:24
jamielennoxoh o, what have you done!02:24
jamielennox:)02:24
ayoung_namely, we changed TOkenModel out from underneath your02:24
*** ayoung_ is now known as ayoung02:25
*** iurygregory_ has quit IRC02:26
*** maticue has quit IRC02:26
jamielennoxno worries, i can fix that up quick02:27
ayoungjamielennox, I was wondering why I had 900+ unit tests failing when I started testing is_admin_project=True.02:27
ayoungI need to rebase on this patch...02:27
ayoungBut nova first02:27
openstackgerritJamie Lennox proposed openstack/keystone: Add is_admin_project to policy dict  https://review.openstack.org/37185602:32
jamielennoxayoung: ^02:33
ayoungTYVM02:33
*** adrian_otto has quit IRC02:40
ayoungjamielennox, brings it down to 103 Failuers :/02:44
jamielennoxkeystone unit tests?02:44
jamielennoxayoung:  i'll admit i didn't run the whole thing, but it passed a bunch and it passed the new ones i added so i let the gate do the rest02:45
ayoungjamielennox, I'll dig.  Your patch or mine, it needs to be fixed, but I doubt yours broke the trusts policy check...02:45
jamielennoxi wouldnt think so, no02:46
*** adrian_otto has joined #openstack-keystone02:47
openstackgerritGeorge Tian proposed openstack/keystone: Code cleanup  https://review.openstack.org/38479802:57
*** adrian_otto has quit IRC02:57
*** guoshan has quit IRC02:57
*** guoshan has joined #openstack-keystone03:03
openstackgerritayoung proposed openstack/keystone: Add is_admin_project check to policy.json  https://review.openstack.org/25763603:04
ayoungjamielennox, I figured that service role policies should also be in the admin project03:05
ayoungjamielennox, before I go crazy working out the tests, take a look and see if the policies I am setting there are sane, please.03:06
jamielennoxayoung: i'm not sure what you mean03:06
ayoungjamielennox, in that review I just posted on top of yours03:07
ayounghttps://review.openstack.org/#/c/257636/4/etc/policy.json03:07
jamielennoxayoung: i don't think you need the services in the admin project03:08
ayoungjamielennox, yes you do.  Otherwise, we can't let projects assign their own roles03:09
jamielennoxi'm not sure where else you put them, but because most read ops only need any role in a project giving service in the admin project is a fair bit of power03:09
jamielennoxprojects assign their own roles?03:09
ayounganyone anywhere could assign a user the service role.  That is supposed to be reserved for Nova, Glance, etc03:09
ayoungjamielennox, that is the goal here03:09
ayoungto let a project admin be able to assign any roles to their users03:10
ayoungotherwise, role assignment becomes something only the cloud_admin can do, and that does not scale03:10
jamielennoxyea, we don't have the rbac thing of who can assign what03:13
jamielennoxor even you can only delegate what you ahve03:13
jamielennoxayoung: so i'm still not sure you should make that change in the default policy file03:13
ayoungyeah, I know.  But still Service role is supposed to be a lower level administrative priv, so it should be on an admin project.03:13
jamielennoxmost people assign a service project somewhere with nothing in it03:14
ayoungcould make it a separate commit and we can fight over  it there if you want03:14
jamielennoxwell so the issue will be things like devstack, when we turn on the admin project check ( i think we have already) you'll break everyone03:15
jamielennoxcause the services aren't typically given roles on the admin project03:15
ayoungK03:15
ayoungwe can punt on it for now03:15
jamielennoxyea, we can discuss, but for getting this patch through i'd leave it out03:15
openstackgerritayoung proposed openstack/keystone: Add is_admin_project check to policy.json  https://review.openstack.org/25763603:15
ayoungI think we can make multiple projects into admin projects. That was one thing morgan had requested when we did this03:16
jamielennoxayoung: ha, i think i said that as well but was told we only need 103:16
jamielennoxand i think i'm ok with only one03:17
jamielennoxbut there's no reason you couldn't force a similar thing03:17
*** nicolasbock has quit IRC03:17
jamielennoxrole:service project_id:XXX03:17
ayoungjamielennox, yep, it is a stropt03:19
jamielennoxwhat's the advantage of multiple?03:21
openstackgerritSteve Martinelli proposed openstack/keystone-specs: Add reason to notifications for PCI-DSS events  https://review.openstack.org/38130203:35
*** spzala has joined #openstack-keystone03:38
*** spzala has quit IRC03:43
*** tqtran has joined #openstack-keystone03:46
*** links has joined #openstack-keystone03:59
*** guoshan has quit IRC04:05
*** guoshan has joined #openstack-keystone04:05
*** dikonoo has joined #openstack-keystone04:08
openstackgerritSteve Martinelli proposed openstack/keystone: Move the token abstract base class out of core  https://review.openstack.org/38610204:09
*** guoshan has quit IRC04:10
*** tqtran has quit IRC04:14
*** tqtran has joined #openstack-keystone04:17
openstackgerritSteve Martinelli proposed openstack/keystone: Return password_expires_at during auth  https://review.openstack.org/36700804:26
*** GB21 has joined #openstack-keystone04:28
*** GB21 has quit IRC04:32
stevemarjamielennox: any additional changes to KSM for allow-expired?04:35
stevemarjamielennox: or you want me to release a new version of that now and we can get testing?04:35
jamielennoxstevemar: ksm has a couple and will probably be last04:36
jamielennoxksm needs ksc needs k04:36
jamielennoxs04:36
jamielennoxwhat's happening with https://review.openstack.org/#/c/379035/ - the change it depends-on is merged and it has +A04:38
*** david-lyle_ has quit IRC04:39
stevemarjamielennox: it needs a kick in the pants?04:39
openstackgerritSteve Martinelli proposed openstack/keystone: Ignore unknown arguments to fetch_token  https://review.openstack.org/37903504:39
jamielennoxoh, it's merged?04:39
stevemarnope04:39
jamielennoxit says it's merged but it's still sitting in my queue04:39
*** david-lyle has joined #openstack-keystone04:39
jamielennoxoh, o - Change has been successfully merged into the git repository by Jenkins04:39
jamielennoxprobably should report that to infra04:40
stevemarjamielennox: so... you want me to release ksm or not?04:40
stevemarthat was weird04:40
openstackgerritjian.song proposed openstack/keystone: Remove max-length in saml.py  https://review.openstack.org/38632904:41
jamielennoxstevemar: nope -it's in the tree, it's just still hanging out as open in gerrit04:42
jamielennoxstevemar: so i don't see anything in there that is worth releasing for04:43
jamielennoxstevemar: but if you want it i don't mind04:44
stevemarjamielennox: i figure you needed a new ksm for the allow-expiry work?04:44
*** GB21 has joined #openstack-keystone04:44
jamielennoxstevemar: nah, the keystone stuff can happen before that04:45
stevemarjamielennox: weird, i'll push for one anyway, it'll be good to get one before the summit04:46
stevemarotherwise we're likely to go a few weeks without a release04:46
jamielennoxstevemar: oh, i put a depends-on from the keystone patch to the keystonemiddleware one04:46
jamielennoxstevemar: that was safe, but we don't really need it because the whole point is it has to be compatible with old and new versions04:47
jamielennoxso the keystone patches can go in without waiting for auth_token middleare04:47
jamielennoxit's just if someone wanted to rename the variable or something we didn't want to merge the keystone one first04:47
stevemarjamielennox: right, i'm just trying to bump the minimum version of ksm needed for ocata -- just trying to be aggresive about it04:48
*** jaosorior has quit IRC04:49
jamielennoxstevemar: i wouldn't worry about it, there's nothing in master we need and there will be stuff we want when all this allow_expired stuff actually lands04:49
stevemarjamielennox: alrighty04:50
jamielennoxyears of openstack later i still have nfi what to do when i get "No valid host was found."04:52
jamielennoxhow is there still no debug info for that04:52
stevemarhaha04:52
*** guoshan has joined #openstack-keystone05:20
*** sdake has quit IRC05:23
*** guoshan has quit IRC05:25
openstackgerritMerged openstack/keystonemiddleware: Update code to use Newton as the code name  https://review.openstack.org/36870705:25
*** davechen1 has joined #openstack-keystone05:30
*** davechen has quit IRC05:33
*** richm has quit IRC05:39
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/38637705:43
openstackgerritOpenStack Proposal Bot proposed openstack/python-keystoneclient-kerberos: Updated from global requirements  https://review.openstack.org/37368605:43
*** sheel has joined #openstack-keystone05:45
openstackgerritMerged openstack/keystone: Move the token abstract base class out of core  https://review.openstack.org/38610205:48
openstackgerritiswarya vakati proposed openstack/keystone: Drop MANIFEST.in - it's not needed by pbr  https://review.openstack.org/38638405:50
*** tqtran has quit IRC05:52
*** woodster_ has quit IRC05:55
jamielennoxstevemar: lol, i don't mean to laugh but you got the wrong keystoneauth version: https://review.openstack.org/#/c/386135/05:59
jamielennoxstevemar: your message says 2.14, your code says 2.1306:00
*** tqtran has joined #openstack-keystone06:11
*** guoshan has joined #openstack-keystone06:11
*** adriant has quit IRC06:13
stevemarjamielennox: lol06:13
stevemarjamielennox: that is laugh worthy06:13
stevemarjamielennox: resurrect https://review.openstack.org/#/c/386295/ ?06:14
jamielennoxmeh - i don't care who does it06:14
jamielennoxbut yea, i can06:15
*** nkinder has quit IRC06:18
jamielennoxstevemar: restored and rebased06:18
stevemarjamielennox: thanks! can't believe i made that mistake :)06:18
*** Zer0Byte__ has quit IRC06:19
*** Zer0Byte__ has joined #openstack-keystone06:21
*** guoshan_ has joined #openstack-keystone06:22
*** pcaruana has joined #openstack-keystone06:23
*** guoshan has quit IRC06:25
*** guoshan has joined #openstack-keystone06:26
*** guoshan_ has quit IRC06:26
*** Zer0Byte__ has quit IRC06:30
openstackgerritMerged openstack/keystone: Ignore unknown arguments to fetch_token  https://review.openstack.org/37903506:30
*** spzala has joined #openstack-keystone06:38
openstackgerritMerged openstack/keystone: Return password_expires_at during auth  https://review.openstack.org/36700806:42
*** spzala has quit IRC06:42
*** asettle has joined #openstack-keystone07:01
openstackgerritMerged openstack/keystonemiddleware: Updated from global requirements  https://review.openstack.org/38636307:01
*** asettle has quit IRC07:02
openstackgerritGeorge Tian proposed openstack/keystone: Remove unused arg(project and initiator)  https://review.openstack.org/38641307:03
*** tesseract- has joined #openstack-keystone07:05
openstackgerritMerged openstack/python-keystoneclient: Updated from global requirements  https://review.openstack.org/38637707:12
*** srihitha_ has quit IRC07:13
*** bjolo has quit IRC07:17
*** bjolo has joined #openstack-keystone07:18
*** rcernin has joined #openstack-keystone07:20
*** amoralej|off is now known as amoralej07:27
*** tqtran has quit IRC07:35
*** namnh has joined #openstack-keystone07:55
*** zzzeek has quit IRC08:00
*** zzzeek has joined #openstack-keystone08:03
*** zhugaoxiao has quit IRC08:16
*** zhugaoxiao has joined #openstack-keystone08:16
*** jaosorior has joined #openstack-keystone08:19
*** asettle has joined #openstack-keystone08:23
*** tqtran has joined #openstack-keystone08:32
*** davechen1 has left #openstack-keystone08:35
*** timss has quit IRC08:36
*** timss has joined #openstack-keystone08:36
*** tqtran has quit IRC08:37
*** guoshan has quit IRC09:00
*** guoshan has joined #openstack-keystone09:01
bretono/09:31
*** wangqun has quit IRC09:35
*** jaosorior has quit IRC09:40
*** jaosorior has joined #openstack-keystone09:40
*** openstackstatus has quit IRC09:44
*** openstack has joined #openstack-keystone09:45
*** openstackstatus has joined #openstack-keystone09:46
*** ChanServ sets mode: +v openstackstatus09:46
*** tqtran has joined #openstack-keystone10:04
*** tqtran has quit IRC10:08
*** richm has joined #openstack-keystone10:08
*** code-R has joined #openstack-keystone10:11
*** openstackstatus has quit IRC10:13
*** openstack has joined #openstack-keystone10:13
*** code-R_ has joined #openstack-keystone10:14
*** openstackstatus has joined #openstack-keystone10:14
*** ChanServ sets mode: +v openstackstatus10:14
*** hoangcx has quit IRC10:15
*** namnh has quit IRC10:17
*** code-R has quit IRC10:17
*** guoshan_ has joined #openstack-keystone10:19
*** guoshan has quit IRC10:22
*** guoshan_ has quit IRC10:24
openstackgerritMerged openstack/keystone: Fix a typo in token_formatters.py  https://review.openstack.org/38631010:25
*** bjolo has quit IRC10:28
*** bjolo has joined #openstack-keystone10:28
bretonthat feel when i open a patch for review, leave it in a tab and when get back to it, it is already merged.10:33
*** nicolasbock has joined #openstack-keystone10:33
*** TonyXu has quit IRC10:33
*** spzala has joined #openstack-keystone10:38
*** spzala has quit IRC10:43
*** richm has quit IRC10:46
*** christop1ler has joined #openstack-keystone10:55
christop1lerHi. Ive got a keystone instance behind an nginx upstream, and Im getting 403 forbidden. The site serves directly over the ip/port. Im using nginx to upstream to some pyramid instances, and I cant see any difference in the implementation. Anyone got any experience / ideas?10:57
*** dave-mccowan has joined #openstack-keystone10:58
christop1lerhttp://paste.ofcode.org/DgD3MQpHKGe3rjAtazYvR810:58
*** richm has joined #openstack-keystone11:01
*** code-R_ has quit IRC11:03
bretonare you getting 403 from nginx or from keystone?11:09
*** jgrassler has joined #openstack-keystone11:15
*** code-R has joined #openstack-keystone11:26
openstackgerritColleen Murphy proposed openstack/keystone: Update, correct, and enhance federation docs  https://review.openstack.org/37121011:26
*** dgonzalez has quit IRC11:26
*** amoralej is now known as amoralej|lunch11:28
*** dgonzalez has joined #openstack-keystone11:43
*** GB21 has quit IRC11:43
*** akscram1 is now known as akscram11:58
*** ayoung has quit IRC12:00
*** links has quit IRC12:02
*** voelzmo has joined #openstack-keystone12:07
*** edmondsw has joined #openstack-keystone12:09
*** raildo has joined #openstack-keystone12:09
dolphmdoesn't auth_token have an option to require that the protected endpoint appears in the service catalog?12:10
dolphmif so, i don't see the option on https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_opts.py12:10
*** maticue has joined #openstack-keystone12:10
dolphmotherwise, endpoint filtering is nothing but obfuscation12:10
*** links has joined #openstack-keystone12:14
*** lamt has quit IRC12:29
*** openstackstatus has quit IRC12:43
*** openstack has joined #openstack-keystone12:43
*** openstackstatus has joined #openstack-keystone12:44
*** ChanServ sets mode: +v openstackstatus12:44
*** Guest76323 is now known as tlbr12:46
*** ddieterly has joined #openstack-keystone12:53
openstackgerritMerged openstack/oslo.policy: Change assertTrue(isinstance()) by optimal assert  https://review.openstack.org/38630912:53
*** ayoung has joined #openstack-keystone12:53
*** ChanServ sets mode: +v ayoung12:53
*** spzala has joined #openstack-keystone12:54
*** dikonoo has quit IRC12:58
dstanekdolphm: i always thought that's all it was12:59
*** code-R has quit IRC12:59
*** ddieterly has quit IRC13:00
dolphmdstanek: i swear there was something based on endpoint ID in auth_token to actually make it useful13:00
*** sdake_ has joined #openstack-keystone13:03
*** pnavarro has joined #openstack-keystone13:12
*** code-R has joined #openstack-keystone13:13
*** jperry has joined #openstack-keystone13:15
bknudsondolphm: nobody ever wrote that.13:15
dolphmfun13:15
dolphmdstanek: bknudson: thanks for the sanity check13:16
*** links has quit IRC13:16
*** ayoung has quit IRC13:17
*** TonyXu has joined #openstack-keystone13:19
*** Guest10825 is now known as zeus`13:19
*** zeus` is now known as zeus13:19
*** zeus has quit IRC13:20
*** zeus has joined #openstack-keystone13:20
*** daemontool has joined #openstack-keystone13:22
raildodolphm, when you are looking for the difference between --debug and --verbose and the first link that you find is: http://dolphm.com/debug-vs-verbose/13:22
raildodolphm, thanks sir :)13:22
dolphmraildo: ha13:22
*** ddieterly has joined #openstack-keystone13:28
*** Zer0Byte__ has joined #openstack-keystone13:31
*** Zer0Byte__ has quit IRC13:32
*** ddieterly has quit IRC13:34
*** Marcellin__ has joined #openstack-keystone13:39
*** amoralej|lunch is now known as amoralej13:50
*** pnavarro has quit IRC13:50
*** sdake has joined #openstack-keystone14:00
*** gagehugo has joined #openstack-keystone14:04
*** sdake_ has quit IRC14:04
*** tqtran has joined #openstack-keystone14:06
openstackgerritMerged openstack/python-keystoneclient: Use exceptions from Keystoneauth  https://review.openstack.org/35970514:10
*** tqtran has quit IRC14:11
voelzmoHey, is there some equivalent to AWS IAM instance profiles in OpenStack? http://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html14:11
*** voelzmo has quit IRC14:14
*** ddieterly has joined #openstack-keystone14:16
*** voelzmo has joined #openstack-keystone14:18
dstanekvoelzmo: i'm not sure what an instance profile is14:20
*** chris_hultin|AWA is now known as chris_hultin14:23
voelzmo@dstanek you can inject short-lived credentials with a well-defined scope into a VM using the metadata service14:27
voelzmoe.g. give a VM credentials that allow to upload an image, but not start a VM14:28
voelzmoSo I guess the question consists of different things:14:29
voelzmo1. can I create credentials for fine-grained access on the fly?14:30
voelzmo2. can I provide credentials to VMs using something like the metadata service14:30
dstanekvoelzmo: no i don't not believe there is a way to limit credentials to an operation14:31
dstanekthat's what i've wanted for a while, but i don't think it exists14:31
voelzmoSo you're either an admin in a Domain or you are a member14:32
*** haplo37_ has quit IRC14:34
*** TonyXu has quit IRC14:34
*** TonyXu has joined #openstack-keystone14:34
*** lamt has joined #openstack-keystone14:35
edmondswvoelzmo, you can customize policy to create additional roles besides admin, to get fine-grained access... what you can't do is the "on the fly" bit, or #214:35
voelzmoso all of this is configuration during install-time?14:36
*** haplo37_ has joined #openstack-keystone14:36
edmondswcustomizing policy would be an install-time, thing, yes14:36
edmondswcreating credentials could be whenever14:37
*** Zer0Byte__ has joined #openstack-keystone14:38
*** sdake_ has joined #openstack-keystone14:38
voelzmomh, so none of this is possible :(14:39
voelzmoI wonder how people use the OpenStack API from VMs created in OpenStack14:39
dstanekedmondsw: can we scope to a role?14:39
voelzmoor how they give other people scoped credentials for their specific use14:40
*** ayoung has joined #openstack-keystone14:40
*** ChanServ sets mode: +v ayoung14:40
*** ddieterly is now known as ddieterly[away]14:40
edmondswdstanek what do you mean?14:40
voelzmolike only allowing to upload stuff to a swift bucket or so14:40
*** sdake_ has quit IRC14:40
edmondswayoung ^14:40
dstanekyou can't recreate a only-create-vms role and have a token only apply that role can you?14:40
*** sdake has quit IRC14:41
edmondsws/recreate/create/ ?14:41
ayoungedmondsw, I might not have the context in this window14:41
edmondswsure, you can create a role that only lets you create VMs14:41
ayoungedmondsw, I was moving locations, and got disconnected...what are we discusssing?14:42
dstanekedmondsw: can you limit the list of roles for a user dynamically?14:42
voelzmoayoung: essentially if there is an equivalent to AWS's IAM instance profiles, and which parts would be missing in OpenStack to get somethiing like that14:42
ayoungdstanek, you mean, request a token with a subset of a users roles?14:43
edmondswayoung started here: http://eavesdrop.openstack.org/irclogs/%23openstack-keystone/%23openstack-keystone.2016-10-14.log.html#t2016-10-14T14:11:4614:43
dstanekayoung: yesah14:43
ayoungdstanek, I proposed a long time ago14:43
ayounghas not merged14:43
dstaneki remember us talking about it, but i don't think it was done14:43
ayoungonly trusts today can do that14:43
dstanekok, right14:43
ayoungdstanek, I do have this:14:43
edmondswright14:43
ayounghttps://review.openstack.org/#/c/186979/14:43
*** rvba` has quit IRC14:43
*** rvba has joined #openstack-keystone14:43
dstaneki wonder if trusts can be used for this then, but certainly not specific instances of resources14:44
*** rvba has quit IRC14:44
*** rvba has joined #openstack-keystone14:44
ayoungand, in support of that...14:44
*** michauds has joined #openstack-keystone14:44
edmondswvoelzmo is asking " I wonder how people use the OpenStack API from VMs created in OpenStack or how they give other people scoped credentials for their specific use like only allowing to upload stuff to a swift bucket or so"14:44
ayounghttps://review.openstack.org/#/c/310074/14:44
ayoungedmondsw, it is frightening14:44
ayoungdon't think about it if you want to sleep at night14:44
edmondswyeah... which is why I thought you'd better explain it rather than me ;)14:44
ayoungedmondsw, can you file it as a CVE? Then maybe my chain-of-command will prioritize me working on it?14:45
edmondswI think you meant to direct that to voelzmo14:45
edmondswhe was the one asking14:45
ayoungedmondsw, I don't care who files it14:45
ayoungI just want the damn thing fixed14:46
edmondswyeah, but I'm not the one who cares about it... yet...14:46
edmondsw;)14:46
ayoungedmondsw, so that is why "implied roles"14:46
ayoungget a token with a single role assigned to it, but use assigned roles to expand out the roles implied by that14:46
*** ddieterly[away] is now known as ddieterly14:46
voelzmosorry, I'm not familiar with the usual processes, where should I file that? Don't care if you label it a CVE, bug, or feature :P14:46
ayoungvoelzmo, I was being flippant14:47
ayoungit is a security related issue, but a well known one14:47
ayoungand thus not a CVE14:47
ayoungthere is this bug which is the first step14:47
ayounghttps://bugs.launchpad.net/keystone/+bug/96869614:47
openstackLaunchpad bug 968696 in OpenStack Identity (keystone) ""admin"-ness not properly scoped" [High,In progress] - Assigned to Adam Young (ayoung)14:47
ayoungbeyond that, there are specs and design discussions14:48
ayoungif you can file a bug for your use case, please do, and let me know14:48
ayoungedmondsw, stop stealing my bug assignments!14:48
ayoungI am actually actively working on the Policy changes for Nova14:48
ayoungI appreciate your input, but would rather have you as a reviewer, so the fixes actually merge14:48
ayoung:)14:49
edmondswdstanek, back to your question... what I was suggesting was that you could create a role with very specific permissions and then a user with only that role and give the VM that user's credentials... NOT that you would do any of this on the fly, or that the token would show less roles than the full set of that user... just that the user really only has this role14:49
ayoungI figured out why the is_admin check was needed, and have a fix for it for most tests14:49
edmondswnot what we really want, but might work for some applications14:49
edmondswayoung, it should merge now that I've fixed it... it wouldn't have before ;)14:49
ayoungedmondsw, a user can create a trust with themselves as the trustor and trustee, and use that trust to get a token, then pass that token to an application14:50
ayoungand that trust would only have the subordinate role in it14:50
dstanekedmondsw: but they you'd have a bunch of ghost users right?14:50
ayoungedmondsw, for a VM, I would do roughly the same thing14:50
ayoungdstanek, yes, but those ghost users go in their own domain14:51
edmondswdstanek depends on whether you want to use a different user for each VM or just reuse the same one14:51
ayoungso they are cheap...one per VM14:51
edmondswcool14:51
ayoungHeat does this already14:51
ayoungcool heat!14:51
dstanekfor example, on this project i was to give fred the ability to write to a swift domain and on thie other project he should be able to recreate vms. so fred has two users in openstack?14:51
edmondswayoung, are you going to elaborate on your is_admin check comment or go review the changes I made and see how nice they are? ;)14:51
voelzmoayoung: so from the bug I'm entirely unsure what the state of your bug is. Is this something that will actually we fixed sometime soon(ish)?14:52
ayoungedmondsw, I am still working on it.  I'll pull in your suggestions, but I have not looked since the one you submitted last afternoon14:52
ayoungvoelzmo, working on it now14:52
edmondswI fixed the UTs this morning... didn't change anything else14:52
*** sdake has joined #openstack-keystone14:53
dstanekvoelzmo: what version of keystone are you running? you'd likely have to go to master or the upcoming release to get the fixes14:53
voelzmodstanek: We're running Mitaka14:53
voelzmoOnce Newton is available I guess we're switching to it. Unfortunately it will take another 3 months until distributors have created a new release from that...14:54
*** thiagolib has joined #openstack-keystone14:56
*** rcernin has quit IRC15:02
*** agrebennikov has joined #openstack-keystone15:02
*** sdake_ has joined #openstack-keystone15:03
*** ddieterly is now known as ddieterly[away]15:04
*** daemontool_ has joined #openstack-keystone15:05
*** sdake has quit IRC15:05
*** voelzmo has quit IRC15:06
*** daemontool_ has quit IRC15:08
*** daemontool has quit IRC15:08
*** dave-mccowan has quit IRC15:09
christop1lerHey, Keystone, Whats the prevailing wisdom on client vs server side facebook authentication?15:15
*** pcaruana has quit IRC15:15
stevemareasy review: https://mail.google.com/mail/u/0/#all/157c1be360c3939d15:17
*** cargonza has quit IRC15:22
*** BlackDex has quit IRC15:22
*** cargonza has joined #openstack-keystone15:23
*** dave-mccowan has joined #openstack-keystone15:24
*** ddieterly[away] is now known as ddieterly15:26
*** dflorea has joined #openstack-keystone15:28
bretonstevemar: +115:29
*** brofessor is now known as akrzos15:31
openstackgerritLance Bragstad proposed openstack/keystone: Use issue_v3_token instead of issue_v2_token  https://review.openstack.org/38666515:31
*** GB21 has joined #openstack-keystone15:32
*** lamt has quit IRC15:37
*** adrian_otto has joined #openstack-keystone15:40
*** GB21 has quit IRC15:47
*** dave-mccowan has quit IRC15:51
*** ddieterly is now known as ddieterly[away]15:52
*** sdake has joined #openstack-keystone15:54
*** tesseract- has quit IRC15:54
*** ddieterly[away] is now known as ddieterly15:55
*** sdake_ has quit IRC15:56
openstackgerritayoung proposed openstack/keystone: Fernet token formatter with explicit role  https://review.openstack.org/31007415:58
openstackgerritMerged openstack/keystone: Add is_admin_project to policy dict  https://review.openstack.org/37185615:59
*** Zer0Byte__ has quit IRC16:01
*** dave-mccowan has joined #openstack-keystone16:01
*** code-R has quit IRC16:01
*** Zer0Byte__ has joined #openstack-keystone16:04
*** asettle__ has joined #openstack-keystone16:17
*** asettle has quit IRC16:21
*** asettle__ has quit IRC16:21
*** xek_ has quit IRC16:25
*** xek_ has joined #openstack-keystone16:26
*** sdake_ has joined #openstack-keystone16:38
*** adrian_otto has quit IRC16:39
*** dflorea has quit IRC16:39
*** adrian_otto has joined #openstack-keystone16:39
*** sdake has quit IRC16:40
*** adrian_otto has quit IRC16:43
*** nkinder has joined #openstack-keystone16:54
openstackgerritSteve Martinelli proposed openstack/keystone: Invalidate trust when the related project is deleted  https://review.openstack.org/38444416:55
*** xek_ has quit IRC16:55
*** xek_ has joined #openstack-keystone16:56
stevemarhenrynash: ^16:56
*** browne has joined #openstack-keystone16:58
*** ddieterly is now known as ddieterly[away]17:00
*** amoralej is now known as amoralej|off17:00
*** chris_hultin is now known as chris_hultin|AWA17:01
*** gyee has joined #openstack-keystone17:06
*** jlk is now known as omgwtfjlk17:06
*** adrian_otto has joined #openstack-keystone17:08
*** michauds has quit IRC17:12
*** code-R has joined #openstack-keystone17:17
*** dikonoo has joined #openstack-keystone17:17
*** links has joined #openstack-keystone17:18
*** code-R_ has joined #openstack-keystone17:18
*** dflorea has joined #openstack-keystone17:19
morganstevemar: +2. lgtm17:20
morganstevemar: didn't +A since no jenkins response yet17:20
stevemarmorgan: oh jenkins will be fine, PS4 had a +1 from jenkins and PS5 is just a releasenote change17:21
*** code-R has quit IRC17:21
morganstevemar: feel free to +A17:21
stevemarmorgan: want to review the patch it depends on? :)17:21
morganuh... maybe17:22
morgan:P17:22
openstackgerritRon De Rose proposed openstack/keystone: Remove backend dependencies from token provider  https://review.openstack.org/38613617:22
stevemarmorgan: ty! :)17:28
*** tqtran has joined #openstack-keystone17:30
*** Zer0Byte__ has quit IRC17:32
*** scarlisle has joined #openstack-keystone17:35
*** artmr has joined #openstack-keystone17:38
*** alex_xu_ has quit IRC17:39
*** jaosorior has quit IRC17:40
*** jaosorior has joined #openstack-keystone17:40
artmrHello all, whom interested make review17:42
*** alex_xu has joined #openstack-keystone17:42
artmrhttps://review.openstack.org/#/c/375730/  https://review.openstack.org/#/c/378001/17:43
openstackgerritArthur Miranda proposed openstack/python-keystoneclient: Prevent attempts to "filter" list() calls by globally unique IDs  https://review.openstack.org/37800117:47
*** pcaruana has joined #openstack-keystone17:48
*** lamt has joined #openstack-keystone17:56
*** dflorea has quit IRC17:58
*** dflorea has joined #openstack-keystone18:00
*** chris_hultin|AWA is now known as chris_hultin18:06
openstackgerritLance Bragstad proposed openstack/keystone: refactor the token controller  https://review.openstack.org/38672618:06
*** AndyWojo is now known as suburban_killade18:15
*** Zer0Byte__ has joined #openstack-keystone18:20
*** chris_hultin is now known as chris_hultin|AWA18:24
*** michauds has joined #openstack-keystone18:25
*** dikonoo has quit IRC18:26
*** hoonetorg has quit IRC18:30
*** dflorea has quit IRC18:33
*** nkinder has quit IRC18:40
*** links has quit IRC18:41
*** hoonetorg has joined #openstack-keystone18:41
openstackgerritColleen Murphy proposed openstack/keystone: Update, correct, and enhance federation docs  https://review.openstack.org/37121018:42
*** afred312_ has joined #openstack-keystone18:42
*** code-R has joined #openstack-keystone18:43
*** wolsen_ has joined #openstack-keystone18:44
*** auggy_ has joined #openstack-keystone18:44
*** raddaoui_ has joined #openstack-keystone18:45
*** dflorea has joined #openstack-keystone18:45
*** christophler has joined #openstack-keystone18:46
*** nikhil_ has joined #openstack-keystone18:47
*** nikhil_ is now known as Guest3099818:47
*** jlk has joined #openstack-keystone18:48
*** jlk has quit IRC18:48
*** jlk has joined #openstack-keystone18:48
*** dolphm_ has joined #openstack-keystone18:49
*** ChanServ sets mode: +o dolphm_18:49
*** odyssey4me_ has joined #openstack-keystone18:49
*** krotscheck_ has joined #openstack-keystone18:49
*** BrAsS_mOnKeY has joined #openstack-keystone18:49
*** oomichi_ has joined #openstack-keystone18:49
*** med_` has joined #openstack-keystone18:49
*** knikolla_ has joined #openstack-keystone18:50
*** dflorea has quit IRC18:50
*** topol_ has joined #openstack-keystone18:50
*** _d34dh0r53_ has joined #openstack-keystone18:51
*** beddari1 has joined #openstack-keystone18:51
*** lamt has quit IRC18:51
*** code-R_ has quit IRC18:51
*** TonyXu has quit IRC18:51
*** timss has quit IRC18:51
*** omgwtfjlk has quit IRC18:51
*** samueldmq has quit IRC18:51
*** xenogear has quit IRC18:51
*** afred312 has quit IRC18:51
*** nikhil has quit IRC18:51
*** d34dh0r53 has quit IRC18:51
*** med_ has quit IRC18:51
*** raddaoui has quit IRC18:51
*** vkramskikh has quit IRC18:51
*** knikolla has quit IRC18:51
*** odyssey4me has quit IRC18:51
*** BrAsS_mO- has quit IRC18:51
*** topol has quit IRC18:51
*** jistr has quit IRC18:51
*** fungi has quit IRC18:51
*** andrewbogott has quit IRC18:51
*** oomichi has quit IRC18:51
*** d0ugal has quit IRC18:51
*** krotscheck has quit IRC18:51
*** christop1ler has quit IRC18:51
*** twouters has quit IRC18:51
*** beddari has quit IRC18:51
*** wolsen has quit IRC18:51
*** auggy has quit IRC18:51
*** suburban_killade has quit IRC18:51
*** _fortis has quit IRC18:51
*** lbragstad has quit IRC18:51
*** dolphm has quit IRC18:51
*** oomichi_ is now known as oomichi18:51
*** dolphm_ is now known as dolphm18:51
*** krotscheck_ is now known as krotscheck18:51
openstackgerritMerged openstack/keystone: Invalidate trust when the trustor or trustee is deleted  https://review.openstack.org/36935418:51
*** suburban_killade has joined #openstack-keystone18:51
*** odyssey4me_ is now known as odyssey4me18:51
*** suburban_killade has quit IRC18:52
*** suburban_killade has joined #openstack-keystone18:52
*** ddieterly[away] is now known as ddieterly18:52
*** vkramskikh has joined #openstack-keystone18:52
*** Guest30998 is now known as nikhil18:52
*** auggy_ is now known as auggy18:53
*** raddaoui_ is now known as raddaoui18:53
*** lbragstad has joined #openstack-keystone18:53
*** edmondsw has quit IRC18:54
*** jistr has joined #openstack-keystone18:54
*** wolsen_ is now known as wolsen18:54
*** xenogear has joined #openstack-keystone18:55
*** adrian_otto has quit IRC18:56
*** timss has joined #openstack-keystone18:56
*** voelzmo has joined #openstack-keystone18:56
voelzmosorry, had to leave ;( Just wanted to say thanks, ayoung and dstanek.18:57
ayoungvoelzmo, your are very welcome18:58
voelzmoAre you in Barcelona at the summit in two weeks? Still looking for a way to discuss the IAM instance profile stuff in person with someone.18:59
*** _fortis_ has joined #openstack-keystone19:00
*** TonyXu has joined #openstack-keystone19:00
*** d0ugal has joined #openstack-keystone19:01
*** fungi has joined #openstack-keystone19:01
lbragstadstevemar does anything use the Ec2Controller anymore?19:01
*** twouters has joined #openstack-keystone19:02
*** twouters has joined #openstack-keystone19:02
*** andrewbogott has joined #openstack-keystone19:02
*** samueldmq has joined #openstack-keystone19:03
*** ChanServ sets mode: +v samueldmq19:03
*** andrewbogott has quit IRC19:05
*** andrewbogott has joined #openstack-keystone19:05
*** jdennis has quit IRC19:05
*** jdennis has joined #openstack-keystone19:08
*** _fortis_ is now known as _fortis19:09
*** voelzmo has quit IRC19:09
*** browne has quit IRC19:11
*** voelzmo has joined #openstack-keystone19:13
stevemarlbragstad: pfft, maybe?19:14
lbragstadstevemar I ask because I can guarantee that I broke https://github.com/openstack/keystone/blob/f98e8fd0db45936e95aab6b44a6a9c7d2cbb6a95/keystone/contrib/ec2/controllers.py#L28319:15
lbragstadi ran all the tests and nothing failed19:15
stevemarlbragstad: the ec2 and s3 extensions are probably the one part of the keystone code base i am somewhat unfamiliar with19:16
*** edmondsw has joined #openstack-keystone19:19
*** ddieterly has quit IRC19:19
stevemarlbragstad: could be a lack fo tests19:19
*** ayoung has quit IRC19:21
*** dflorea has joined #openstack-keystone19:21
*** dave-mccowan has quit IRC19:23
*** jaosorior_ has joined #openstack-keystone19:24
*** vkramskikh has quit IRC19:29
*** BrAsS_mOnKeY has quit IRC19:29
*** auggy has quit IRC19:31
*** ayoung has joined #openstack-keystone19:31
*** ChanServ sets mode: +v ayoung19:31
*** BrAsS_mOnKeY has joined #openstack-keystone19:32
*** auggy has joined #openstack-keystone19:32
*** vkramskikh has joined #openstack-keystone19:33
*** code-R has quit IRC19:35
*** dave-mccowan has joined #openstack-keystone19:49
*** raildo has quit IRC19:51
*** voelzmo has quit IRC19:57
*** nkinder has joined #openstack-keystone19:57
*** clenimar has quit IRC19:58
*** jaosorior has quit IRC19:59
*** jaosorior_ is now known as jaosorior19:59
*** lamt has joined #openstack-keystone20:01
*** adrian_otto has joined #openstack-keystone20:01
*** jlwhite has quit IRC20:02
*** antwash has quit IRC20:02
*** maticue has quit IRC20:03
*** jlwhite has joined #openstack-keystone20:03
*** nkinder has quit IRC20:03
openstackgerritMerged openstack/keystone: Invalidate trust when the related project is deleted  https://review.openstack.org/38444420:04
*** antwash has joined #openstack-keystone20:04
lbragstaddstanek do you know if we fixed that bug where revocation events were too broad?20:06
dstaneklbragstad: I'm not entirely sure20:07
lbragstaddstanek for some reason I thought that was fixed in all the revocation event fixes you did20:07
dstanekIt may have been. I closed a few bugs with that. Did we have a bug on longer for this?20:08
lbragstaddstanek i'm not sure - i'm playing with something locally and I seem to have transients in keystone.tests.unit.test_backend_sql.SqlTokenCacheInvalidationWithPKI.test_delete_unscoped_token20:09
lbragstad^ that's one case of the transients20:09
lbragstadand it only happens when I run the tests concurrently20:09
lbragstadwhich made it smell like an overly generalized revocation event was interfering with the test20:09
*** antwash has quit IRC20:12
*** gyee has quit IRC20:13
*** antwash has joined #openstack-keystone20:14
*** maticue has joined #openstack-keystone20:15
openstackgerritLance Bragstad proposed openstack/keystone: Use issue_v3_token instead of issue_v2_token  https://review.openstack.org/38666520:15
openstackgerritLance Bragstad proposed openstack/keystone: refactor the token controller  https://review.openstack.org/38672620:15
openstackgerritLance Bragstad proposed openstack/keystone: Remove issue_v2_token  https://review.openstack.org/38676220:15
*** pcaruana has quit IRC20:18
lbragstaddstanek i recreated it in the last patch of that series ^20:19
*** browne has joined #openstack-keystone20:20
*** sheel has quit IRC20:20
*** antwash has quit IRC20:23
*** jlwhite_ has joined #openstack-keystone20:23
*** jlwhite has quit IRC20:24
*** jlwhite_ is now known as jlwhite20:24
*** antwash has joined #openstack-keystone20:25
lbragstadrderose nice! https://review.openstack.org/#/c/386102/20:29
dstaneklbragstad: uggg..20:44
*** asettle has joined #openstack-keystone20:44
*** ddieterly has joined #openstack-keystone20:45
*** gyee has joined #openstack-keystone20:51
*** dave-mccowan has quit IRC21:03
*** michauds has quit IRC21:06
*** jlwhite_ has joined #openstack-keystone21:07
*** antwash has quit IRC21:07
*** jlwhite has quit IRC21:07
*** jlwhite_ is now known as jlwhite21:07
*** antwash has joined #openstack-keystone21:09
rderoselbragstad: thanks man :)21:13
rderoselbragstad: have another one coming :) https://review.openstack.org/#/c/386136/21:14
lbragstadrderose ah ha - sweet!21:14
*** nkinder has joined #openstack-keystone21:18
*** thiagolib has quit IRC21:18
*** adrian_otto has quit IRC21:23
*** adrian_otto has joined #openstack-keystone21:25
*** gyee has quit IRC21:25
*** edmondsw has quit IRC21:26
*** adrian_otto has quit IRC21:30
*** adrian_otto has joined #openstack-keystone21:32
*** nkinder has quit IRC21:33
*** adrian_otto has quit IRC21:35
*** adrian_otto has joined #openstack-keystone21:40
*** adrian_otto has quit IRC21:42
openstackgerritLance Bragstad proposed openstack/keystone: Remove issue_v2_token  https://review.openstack.org/38676221:46
*** asettle has quit IRC21:49
*** maticue has quit IRC21:56
*** iurygregory_ has joined #openstack-keystone22:02
*** jperry has quit IRC22:06
*** maticue has joined #openstack-keystone22:09
*** jaosorior has quit IRC22:10
openstackgerritLance Bragstad proposed openstack/keystone: Remove issue_v2_token  https://review.openstack.org/38676222:12
openstackgerritLance Bragstad proposed openstack/keystone: Remove issue_v3_token in favor of issue_token  https://review.openstack.org/38683722:12
lbragstaddstanek i ended up fixing it ^22:12
lbragstadwe now have a provider interface of issue_token and validate_token22:13
*** sdake_ has quit IRC22:14
*** lamt has quit IRC22:28
*** gagehugo has quit IRC22:43
*** sdake has joined #openstack-keystone22:44
openstackgerritRon De Rose proposed openstack/keystone: Remove backend dependencies from token provider  https://review.openstack.org/38613622:44
*** sdake has quit IRC22:57
*** Marcellin__ has quit IRC22:57
*** sdake has joined #openstack-keystone22:58
*** sdake has quit IRC22:58
*** sdake has joined #openstack-keystone23:06
*** nicolasbock has quit IRC23:08
*** scarlisle has quit IRC23:11
*** mgagne_ is now known as mgagne23:12
*** browne has quit IRC23:14
*** sdake has quit IRC23:21
*** nkinder has joined #openstack-keystone23:22
*** nkinder has quit IRC23:28
*** nkinder has joined #openstack-keystone23:45
*** Guest63380 has joined #openstack-keystone23:46
*** tqtran has quit IRC23:48
*** ddieterly is now known as ddieterly[away]23:55
*** Guest63380 has quit IRC23:57
*** Zer0Byte__ has quit IRC23:58
*** nkinder has quit IRC23:58
« Thursday, 2016-10-13 Index Saturday, 2016-10-15 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!